syft

command module

v0.5.0 Latest Latest Go to latest Published: Oct 30, 2020 License: Apache-2.0 Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/anchore/syft

Links

Open Source Insights

README ¶

syft

A CLI tool and go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.

syft-demo

Features

Catalog container images and filesystems to discover packages and libraries.
Supports packages and libraries from various ecosystems (APK, DEB, RPM, Ruby Bundles, Python Wheel/Egg/requirements.txt, JavaScript NPM/Yarn, Java JAR/EAR/WAR, Jenkins plugins JPI/HPI, Go modules)
Linux distribution identification (supports Alpine, BusyBox, CentOS/RedHat, Debian/Ubuntu flavored distributions)
Supports Docker and OCI image formats

If you encounter an issue, please let us know using the issue tracker.

Getting started

To generate an SBOM for a Docker or OCI image:

syft <image>

The above output includes only software that is visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the SBOM, regardless of its presence in the final image, provide --scope all-layers:

syft <image> --scope all-layers

Syft can generate a SBOM from a variety of sources:

# catalog a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
syft path/to/image.tar

# catalog a directory
syft path/to/dir

The output format for Syft is configurable as well:

syft <image> -o <format>

Where the formats available are:

json: Use this to get as much information out of Syft as possible!
text: A row-oriented, human-and-machine-friendly output.
cyclonedx: A XML report conforming to the CycloneDX 1.2 specification.
table: A columnar summary (default).

Installation

Recommended

# install the latest version to /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

# install a specific version into a specific dir
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b <SOME_BIN_PATH> <RELEASE_VERSION>

macOS

brew tap anchore/syft
brew install syft

You may experience a "macOS cannot verify app is free from malware" error upon running Syft because it is not yet signed and notarized. You can override this using xattr.

xattr -rd com.apple.quarantine syft

Configuration

Configuration search paths:

.syft.yaml
.syft/config.yaml
~/.syft.yaml
<XDG_CONFIG_HOME>/syft/config.yaml

Configuration options (example values are the default):

# same as -o ; the output format of the SBOM report (options: table, text, json)
output: "table"

# same as -s ; the search space to look for packages (options: all-layers, squashed)
scope: "squashed"

# same as -q ; suppress all output (except for the SBOM report)
quiet: false

log:
  # use structured logging
  structured: false

  # the log level; note: detailed logging suppress the ETUI
  level: "error"

  # location to write the log file (default is not to have a log file)
  file: ""

# enable/disable checking for application updates on startup
check-for-app-update: true

Future plans

The following areas of potential development are currently being investigated:

Establish a stable interchange format w/Grype

Documentation ¶

Overview ¶

Syft is a CLI tool and go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.

Note that Syft is both a command line tool as well as a library. See the syft/ child package for library functionality.

Source Files ¶

View all Source files

main.go

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
cmd
internal
bus Package bus provides access to a singleton instance of an event bus (provided by the calling application).	Package bus provides access to a singleton instance of an event bus (provided by the calling application).
config
file
format
log
logger
ui
ui/common
ui/etui Package etui provides an "ephemeral" terminal user interface to display the application state dynamically.	Package etui provides an "ephemeral" terminal user interface to display the application state dynamically.
version
syft A "one-stop-shop" for helper utilities for all major functionality provided by child packages of the syft library.	A "one-stop-shop" for helper utilities for all major functionality provided by child packages of the syft library.
cataloger Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc).	Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc).
cataloger/apkdb Package apkdb provides a concrete Cataloger implementation for Alpine DB files.	Package apkdb provides a concrete Cataloger implementation for Alpine DB files.
cataloger/common Package common provides generic utilities used by multiple catalogers.	Package common provides generic utilities used by multiple catalogers.
cataloger/deb Package dpkg provides a concrete Cataloger implementation for Debian package DB status files.	Package dpkg provides a concrete Cataloger implementation for Debian package DB status files.
cataloger/golang Package golang provides a concrete Cataloger implementation for go.mod files.	Package golang provides a concrete Cataloger implementation for go.mod files.
cataloger/java Package java provides a concrete Cataloger implementation for Java archives (jar, war, ear, jpi, hpi formats).	Package java provides a concrete Cataloger implementation for Java archives (jar, war, ear, jpi, hpi formats).
cataloger/javascript Package javascript provides a concrete Cataloger implementation for JavaScript ecosystem files (yarn and npm).	Package javascript provides a concrete Cataloger implementation for JavaScript ecosystem files (yarn and npm).
cataloger/python Package python provides a concrete Cataloger implementation for Python ecosystem files (egg, wheel, requirements.txt).	Package python provides a concrete Cataloger implementation for Python ecosystem files (egg, wheel, requirements.txt).
cataloger/rpmdb Package rpmdb provides a concrete Cataloger implementation for RPM "Package" DB files.	Package rpmdb provides a concrete Cataloger implementation for RPM "Package" DB files.
cataloger/ruby Package bundler provides a concrete Cataloger implementation for Ruby Gemfile.lock bundler files.	Package bundler provides a concrete Cataloger implementation for Ruby Gemfile.lock bundler files.
distro
event Package event provides event types for all events that the syft library published onto the event bus.	Package event provides event types for all events that the syft library published onto the event bus.
event/parsers Package parsers provides parser helpers to extract payloads for each event type that the syft library publishes onto the event bus.	Package parsers provides parser helpers to extract payloads for each event type that the syft library publishes onto the event bus.
logger Defines the logging interface which is used throughout the syft library.	Defines the logging interface which is used throughout the syft library.
pkg Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.	Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.
presenter Defines a Presenter interface for displaying catalog results to an io.Writer as well as a helper utility to obtain a specific Presenter implementation given user configuration.	Defines a Presenter interface for displaying catalog results to an io.Writer as well as a helper utility to obtain a specific Presenter implementation given user configuration.
presenter/cyclonedx Package cyclonedx is responsible for generating a CycloneDX XML report for the given container image or file system.	Package cyclonedx is responsible for generating a CycloneDX XML report for the given container image or file system.
presenter/json
presenter/table
presenter/text
scope Package scope provides an abstraction to allow a user to loosely define a data source to catalog and expose a common interface that catalogers and use explore and analyze data from the data source.	Package scope provides an abstraction to allow a user to loosely define a data source to catalog and expose a common interface that catalogers and use explore and analyze data from the data source.
scope/resolvers Package resolvers provides concrete implementations for the scope.Resolver interface for all supported data sources and scope options.	Package resolvers provides concrete implementations for the scope.Resolver interface for all supported data sources and scope options.
ui Package ui provides all public UI elements intended to be repurposed in other applications.	Package ui provides all public UI elements intended to be repurposed in other applications.